2005-04-17 05:20:36 +07:00
|
|
|
|
|
|
|
#include <linux/linkage.h>
|
|
|
|
#include <linux/errno.h>
|
|
|
|
|
|
|
|
#include <asm/unistd.h>
|
|
|
|
|
2007-10-17 13:29:25 +07:00
|
|
|
/* we can't #include <linux/syscalls.h> here,
|
|
|
|
but tell gcc to not warn with -Wmissing-prototypes */
|
|
|
|
asmlinkage long sys_ni_syscall(void);
|
|
|
|
|
2005-04-17 05:20:36 +07:00
|
|
|
/*
|
|
|
|
* Non-implemented system calls get redirected here.
|
|
|
|
*/
|
|
|
|
asmlinkage long sys_ni_syscall(void)
|
|
|
|
{
|
|
|
|
return -ENOSYS;
|
|
|
|
}
|
|
|
|
|
|
|
|
cond_syscall(sys_quotactl);
|
2007-07-16 13:41:12 +07:00
|
|
|
cond_syscall(sys32_quotactl);
|
2005-04-17 05:20:36 +07:00
|
|
|
cond_syscall(sys_acct);
|
|
|
|
cond_syscall(sys_lookup_dcookie);
|
2013-02-26 06:42:04 +07:00
|
|
|
cond_syscall(compat_sys_lookup_dcookie);
|
2005-04-17 05:20:36 +07:00
|
|
|
cond_syscall(sys_swapon);
|
|
|
|
cond_syscall(sys_swapoff);
|
2005-06-26 04:57:52 +07:00
|
|
|
cond_syscall(sys_kexec_load);
|
|
|
|
cond_syscall(compat_sys_kexec_load);
|
2014-08-09 04:25:55 +07:00
|
|
|
cond_syscall(sys_kexec_file_load);
|
2005-04-17 05:20:36 +07:00
|
|
|
cond_syscall(sys_init_module);
|
module: add syscall to load module from fd
As part of the effort to create a stronger boundary between root and
kernel, Chrome OS wants to be able to enforce that kernel modules are
being loaded only from our read-only crypto-hash verified (dm_verity)
root filesystem. Since the init_module syscall hands the kernel a module
as a memory blob, no reasoning about the origin of the blob can be made.
Earlier proposals for appending signatures to kernel modules would not be
useful in Chrome OS, since it would involve adding an additional set of
keys to our kernel and builds for no good reason: we already trust the
contents of our root filesystem. We don't need to verify those kernel
modules a second time. Having to do signature checking on module loading
would slow us down and be redundant. All we need to know is where a
module is coming from so we can say yes/no to loading it.
If a file descriptor is used as the source of a kernel module, many more
things can be reasoned about. In Chrome OS's case, we could enforce that
the module lives on the filesystem we expect it to live on. In the case
of IMA (or other LSMs), it would be possible, for example, to examine
extended attributes that may contain signatures over the contents of
the module.
This introduces a new syscall (on x86), similar to init_module, that has
only two arguments. The first argument is used as a file descriptor to
the module and the second argument is a pointer to the NULL terminated
string of module arguments.
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au> (merge fixes)
2012-10-16 04:01:07 +07:00
|
|
|
cond_syscall(sys_finit_module);
|
2005-04-17 05:20:36 +07:00
|
|
|
cond_syscall(sys_delete_module);
|
|
|
|
cond_syscall(sys_socketpair);
|
|
|
|
cond_syscall(sys_bind);
|
|
|
|
cond_syscall(sys_listen);
|
|
|
|
cond_syscall(sys_accept);
|
reintroduce accept4
Introduce a new accept4() system call. The addition of this system call
matches analogous changes in 2.6.27 (dup3(), evenfd2(), signalfd4(),
inotify_init1(), epoll_create1(), pipe2()) which added new system calls
that differed from analogous traditional system calls in adding a flags
argument that can be used to access additional functionality.
The accept4() system call is exactly the same as accept(), except that
it adds a flags bit-mask argument. Two flags are initially implemented.
(Most of the new system calls in 2.6.27 also had both of these flags.)
SOCK_CLOEXEC causes the close-on-exec (FD_CLOEXEC) flag to be enabled
for the new file descriptor returned by accept4(). This is a useful
security feature to avoid leaking information in a multithreaded
program where one thread is doing an accept() at the same time as
another thread is doing a fork() plus exec(). More details here:
http://udrepper.livejournal.com/20407.html "Secure File Descriptor Handling",
Ulrich Drepper).
The other flag is SOCK_NONBLOCK, which causes the O_NONBLOCK flag
to be enabled on the new open file description created by accept4().
(This flag is merely a convenience, saving the use of additional calls
fcntl(F_GETFL) and fcntl (F_SETFL) to achieve the same result.
Here's a test program. Works on x86-32. Should work on x86-64, but
I (mtk) don't have a system to hand to test with.
It tests accept4() with each of the four possible combinations of
SOCK_CLOEXEC and SOCK_NONBLOCK set/clear in 'flags', and verifies
that the appropriate flags are set on the file descriptor/open file
description returned by accept4().
I tested Ulrich's patch in this thread by applying against 2.6.28-rc2,
and it passes according to my test program.
/* test_accept4.c
Copyright (C) 2008, Linux Foundation, written by Michael Kerrisk
<mtk.manpages@gmail.com>
Licensed under the GNU GPLv2 or later.
*/
#define _GNU_SOURCE
#include <unistd.h>
#include <sys/syscall.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <stdlib.h>
#include <fcntl.h>
#include <stdio.h>
#include <string.h>
#define PORT_NUM 33333
#define die(msg) do { perror(msg); exit(EXIT_FAILURE); } while (0)
/**********************************************************************/
/* The following is what we need until glibc gets a wrapper for
accept4() */
/* Flags for socket(), socketpair(), accept4() */
#ifndef SOCK_CLOEXEC
#define SOCK_CLOEXEC O_CLOEXEC
#endif
#ifndef SOCK_NONBLOCK
#define SOCK_NONBLOCK O_NONBLOCK
#endif
#ifdef __x86_64__
#define SYS_accept4 288
#elif __i386__
#define USE_SOCKETCALL 1
#define SYS_ACCEPT4 18
#else
#error "Sorry -- don't know the syscall # on this architecture"
#endif
static int
accept4(int fd, struct sockaddr *sockaddr, socklen_t *addrlen, int flags)
{
printf("Calling accept4(): flags = %x", flags);
if (flags != 0) {
printf(" (");
if (flags & SOCK_CLOEXEC)
printf("SOCK_CLOEXEC");
if ((flags & SOCK_CLOEXEC) && (flags & SOCK_NONBLOCK))
printf(" ");
if (flags & SOCK_NONBLOCK)
printf("SOCK_NONBLOCK");
printf(")");
}
printf("\n");
#if USE_SOCKETCALL
long args[6];
args[0] = fd;
args[1] = (long) sockaddr;
args[2] = (long) addrlen;
args[3] = flags;
return syscall(SYS_socketcall, SYS_ACCEPT4, args);
#else
return syscall(SYS_accept4, fd, sockaddr, addrlen, flags);
#endif
}
/**********************************************************************/
static int
do_test(int lfd, struct sockaddr_in *conn_addr,
int closeonexec_flag, int nonblock_flag)
{
int connfd, acceptfd;
int fdf, flf, fdf_pass, flf_pass;
struct sockaddr_in claddr;
socklen_t addrlen;
printf("=======================================\n");
connfd = socket(AF_INET, SOCK_STREAM, 0);
if (connfd == -1)
die("socket");
if (connect(connfd, (struct sockaddr *) conn_addr,
sizeof(struct sockaddr_in)) == -1)
die("connect");
addrlen = sizeof(struct sockaddr_in);
acceptfd = accept4(lfd, (struct sockaddr *) &claddr, &addrlen,
closeonexec_flag | nonblock_flag);
if (acceptfd == -1) {
perror("accept4()");
close(connfd);
return 0;
}
fdf = fcntl(acceptfd, F_GETFD);
if (fdf == -1)
die("fcntl:F_GETFD");
fdf_pass = ((fdf & FD_CLOEXEC) != 0) ==
((closeonexec_flag & SOCK_CLOEXEC) != 0);
printf("Close-on-exec flag is %sset (%s); ",
(fdf & FD_CLOEXEC) ? "" : "not ",
fdf_pass ? "OK" : "failed");
flf = fcntl(acceptfd, F_GETFL);
if (flf == -1)
die("fcntl:F_GETFD");
flf_pass = ((flf & O_NONBLOCK) != 0) ==
((nonblock_flag & SOCK_NONBLOCK) !=0);
printf("nonblock flag is %sset (%s)\n",
(flf & O_NONBLOCK) ? "" : "not ",
flf_pass ? "OK" : "failed");
close(acceptfd);
close(connfd);
printf("Test result: %s\n", (fdf_pass && flf_pass) ? "PASS" : "FAIL");
return fdf_pass && flf_pass;
}
static int
create_listening_socket(int port_num)
{
struct sockaddr_in svaddr;
int lfd;
int optval;
memset(&svaddr, 0, sizeof(struct sockaddr_in));
svaddr.sin_family = AF_INET;
svaddr.sin_addr.s_addr = htonl(INADDR_ANY);
svaddr.sin_port = htons(port_num);
lfd = socket(AF_INET, SOCK_STREAM, 0);
if (lfd == -1)
die("socket");
optval = 1;
if (setsockopt(lfd, SOL_SOCKET, SO_REUSEADDR, &optval,
sizeof(optval)) == -1)
die("setsockopt");
if (bind(lfd, (struct sockaddr *) &svaddr,
sizeof(struct sockaddr_in)) == -1)
die("bind");
if (listen(lfd, 5) == -1)
die("listen");
return lfd;
}
int
main(int argc, char *argv[])
{
struct sockaddr_in conn_addr;
int lfd;
int port_num;
int passed;
passed = 1;
port_num = (argc > 1) ? atoi(argv[1]) : PORT_NUM;
memset(&conn_addr, 0, sizeof(struct sockaddr_in));
conn_addr.sin_family = AF_INET;
conn_addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
conn_addr.sin_port = htons(port_num);
lfd = create_listening_socket(port_num);
if (!do_test(lfd, &conn_addr, 0, 0))
passed = 0;
if (!do_test(lfd, &conn_addr, SOCK_CLOEXEC, 0))
passed = 0;
if (!do_test(lfd, &conn_addr, 0, SOCK_NONBLOCK))
passed = 0;
if (!do_test(lfd, &conn_addr, SOCK_CLOEXEC, SOCK_NONBLOCK))
passed = 0;
close(lfd);
exit(passed ? EXIT_SUCCESS : EXIT_FAILURE);
}
[mtk.manpages@gmail.com: rewrote changelog, updated test program]
Signed-off-by: Ulrich Drepper <drepper@redhat.com>
Tested-by: Michael Kerrisk <mtk.manpages@gmail.com>
Acked-by: Michael Kerrisk <mtk.manpages@gmail.com>
Cc: <linux-api@vger.kernel.org>
Cc: <linux-arch@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2008-11-20 06:36:14 +07:00
|
|
|
cond_syscall(sys_accept4);
|
2005-04-17 05:20:36 +07:00
|
|
|
cond_syscall(sys_connect);
|
|
|
|
cond_syscall(sys_getsockname);
|
|
|
|
cond_syscall(sys_getpeername);
|
|
|
|
cond_syscall(sys_sendto);
|
|
|
|
cond_syscall(sys_send);
|
|
|
|
cond_syscall(sys_recvfrom);
|
|
|
|
cond_syscall(sys_recv);
|
|
|
|
cond_syscall(sys_socket);
|
|
|
|
cond_syscall(sys_setsockopt);
|
2007-10-29 14:54:39 +07:00
|
|
|
cond_syscall(compat_sys_setsockopt);
|
2005-04-17 05:20:36 +07:00
|
|
|
cond_syscall(sys_getsockopt);
|
2007-10-29 14:54:39 +07:00
|
|
|
cond_syscall(compat_sys_getsockopt);
|
2005-04-17 05:20:36 +07:00
|
|
|
cond_syscall(sys_shutdown);
|
|
|
|
cond_syscall(sys_sendmsg);
|
2011-05-03 03:21:35 +07:00
|
|
|
cond_syscall(sys_sendmmsg);
|
2007-10-29 14:54:39 +07:00
|
|
|
cond_syscall(compat_sys_sendmsg);
|
2011-05-03 03:21:35 +07:00
|
|
|
cond_syscall(compat_sys_sendmmsg);
|
2005-04-17 05:20:36 +07:00
|
|
|
cond_syscall(sys_recvmsg);
|
2009-10-13 13:40:10 +07:00
|
|
|
cond_syscall(sys_recvmmsg);
|
2007-10-29 14:54:39 +07:00
|
|
|
cond_syscall(compat_sys_recvmsg);
|
2010-09-03 10:19:04 +07:00
|
|
|
cond_syscall(compat_sys_recv);
|
2009-09-18 16:52:13 +07:00
|
|
|
cond_syscall(compat_sys_recvfrom);
|
2009-10-13 13:40:10 +07:00
|
|
|
cond_syscall(compat_sys_recvmmsg);
|
2005-04-17 05:20:36 +07:00
|
|
|
cond_syscall(sys_socketcall);
|
|
|
|
cond_syscall(sys_futex);
|
|
|
|
cond_syscall(compat_sys_futex);
|
2006-03-27 16:16:22 +07:00
|
|
|
cond_syscall(sys_set_robust_list);
|
|
|
|
cond_syscall(compat_sys_set_robust_list);
|
|
|
|
cond_syscall(sys_get_robust_list);
|
|
|
|
cond_syscall(compat_sys_get_robust_list);
|
2005-04-17 05:20:36 +07:00
|
|
|
cond_syscall(sys_epoll_create);
|
2008-07-25 15:45:23 +07:00
|
|
|
cond_syscall(sys_epoll_create1);
|
2005-04-17 05:20:36 +07:00
|
|
|
cond_syscall(sys_epoll_ctl);
|
|
|
|
cond_syscall(sys_epoll_wait);
|
2006-10-16 23:01:46 +07:00
|
|
|
cond_syscall(sys_epoll_pwait);
|
2008-07-22 04:21:37 +07:00
|
|
|
cond_syscall(compat_sys_epoll_pwait);
|
2005-04-17 05:20:36 +07:00
|
|
|
cond_syscall(sys_semget);
|
|
|
|
cond_syscall(sys_semop);
|
|
|
|
cond_syscall(sys_semtimedop);
|
2011-05-18 00:39:58 +07:00
|
|
|
cond_syscall(compat_sys_semtimedop);
|
2005-04-17 05:20:36 +07:00
|
|
|
cond_syscall(sys_semctl);
|
2011-05-18 00:39:58 +07:00
|
|
|
cond_syscall(compat_sys_semctl);
|
2005-04-17 05:20:36 +07:00
|
|
|
cond_syscall(sys_msgget);
|
|
|
|
cond_syscall(sys_msgsnd);
|
2011-05-18 00:39:58 +07:00
|
|
|
cond_syscall(compat_sys_msgsnd);
|
2005-04-17 05:20:36 +07:00
|
|
|
cond_syscall(sys_msgrcv);
|
2011-05-18 00:39:58 +07:00
|
|
|
cond_syscall(compat_sys_msgrcv);
|
2005-04-17 05:20:36 +07:00
|
|
|
cond_syscall(sys_msgctl);
|
2011-05-18 00:39:58 +07:00
|
|
|
cond_syscall(compat_sys_msgctl);
|
2005-04-17 05:20:36 +07:00
|
|
|
cond_syscall(sys_shmget);
|
2005-05-01 22:59:12 +07:00
|
|
|
cond_syscall(sys_shmat);
|
2011-05-18 00:39:58 +07:00
|
|
|
cond_syscall(compat_sys_shmat);
|
2005-04-17 05:20:36 +07:00
|
|
|
cond_syscall(sys_shmdt);
|
|
|
|
cond_syscall(sys_shmctl);
|
2011-05-18 00:39:58 +07:00
|
|
|
cond_syscall(compat_sys_shmctl);
|
2005-04-17 05:20:36 +07:00
|
|
|
cond_syscall(sys_mq_open);
|
|
|
|
cond_syscall(sys_mq_unlink);
|
|
|
|
cond_syscall(sys_mq_timedsend);
|
|
|
|
cond_syscall(sys_mq_timedreceive);
|
|
|
|
cond_syscall(sys_mq_notify);
|
|
|
|
cond_syscall(sys_mq_getsetattr);
|
|
|
|
cond_syscall(compat_sys_mq_open);
|
|
|
|
cond_syscall(compat_sys_mq_timedsend);
|
|
|
|
cond_syscall(compat_sys_mq_timedreceive);
|
|
|
|
cond_syscall(compat_sys_mq_notify);
|
|
|
|
cond_syscall(compat_sys_mq_getsetattr);
|
|
|
|
cond_syscall(sys_mbind);
|
|
|
|
cond_syscall(sys_get_mempolicy);
|
|
|
|
cond_syscall(sys_set_mempolicy);
|
|
|
|
cond_syscall(compat_sys_mbind);
|
|
|
|
cond_syscall(compat_sys_get_mempolicy);
|
|
|
|
cond_syscall(compat_sys_set_mempolicy);
|
|
|
|
cond_syscall(sys_add_key);
|
|
|
|
cond_syscall(sys_request_key);
|
|
|
|
cond_syscall(sys_keyctl);
|
|
|
|
cond_syscall(compat_sys_keyctl);
|
|
|
|
cond_syscall(compat_sys_socketcall);
|
[PATCH] inotify
inotify is intended to correct the deficiencies of dnotify, particularly
its inability to scale and its terrible user interface:
* dnotify requires the opening of one fd per each directory
that you intend to watch. This quickly results in too many
open files and pins removable media, preventing unmount.
* dnotify is directory-based. You only learn about changes to
directories. Sure, a change to a file in a directory affects
the directory, but you are then forced to keep a cache of
stat structures.
* dnotify's interface to user-space is awful. Signals?
inotify provides a more usable, simple, powerful solution to file change
notification:
* inotify's interface is a system call that returns a fd, not SIGIO.
You get a single fd, which is select()-able.
* inotify has an event that says "the filesystem that the item
you were watching is on was unmounted."
* inotify can watch directories or files.
Inotify is currently used by Beagle (a desktop search infrastructure),
Gamin (a FAM replacement), and other projects.
See Documentation/filesystems/inotify.txt.
Signed-off-by: Robert Love <rml@novell.com>
Cc: John McCutchan <ttb@tentacle.dhs.org>
Cc: Christoph Hellwig <hch@lst.de>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-07-13 04:06:03 +07:00
|
|
|
cond_syscall(sys_inotify_init);
|
2008-07-24 11:29:32 +07:00
|
|
|
cond_syscall(sys_inotify_init1);
|
[PATCH] inotify
inotify is intended to correct the deficiencies of dnotify, particularly
its inability to scale and its terrible user interface:
* dnotify requires the opening of one fd per each directory
that you intend to watch. This quickly results in too many
open files and pins removable media, preventing unmount.
* dnotify is directory-based. You only learn about changes to
directories. Sure, a change to a file in a directory affects
the directory, but you are then forced to keep a cache of
stat structures.
* dnotify's interface to user-space is awful. Signals?
inotify provides a more usable, simple, powerful solution to file change
notification:
* inotify's interface is a system call that returns a fd, not SIGIO.
You get a single fd, which is select()-able.
* inotify has an event that says "the filesystem that the item
you were watching is on was unmounted."
* inotify can watch directories or files.
Inotify is currently used by Beagle (a desktop search infrastructure),
Gamin (a FAM replacement), and other projects.
See Documentation/filesystems/inotify.txt.
Signed-off-by: Robert Love <rml@novell.com>
Cc: John McCutchan <ttb@tentacle.dhs.org>
Cc: Christoph Hellwig <hch@lst.de>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-07-13 04:06:03 +07:00
|
|
|
cond_syscall(sys_inotify_add_watch);
|
|
|
|
cond_syscall(sys_inotify_rm_watch);
|
2006-01-08 16:00:51 +07:00
|
|
|
cond_syscall(sys_migrate_pages);
|
2006-06-23 16:03:55 +07:00
|
|
|
cond_syscall(sys_move_pages);
|
2006-01-08 16:05:24 +07:00
|
|
|
cond_syscall(sys_chown16);
|
|
|
|
cond_syscall(sys_fchown16);
|
|
|
|
cond_syscall(sys_getegid16);
|
|
|
|
cond_syscall(sys_geteuid16);
|
|
|
|
cond_syscall(sys_getgid16);
|
|
|
|
cond_syscall(sys_getgroups16);
|
|
|
|
cond_syscall(sys_getresgid16);
|
|
|
|
cond_syscall(sys_getresuid16);
|
|
|
|
cond_syscall(sys_getuid16);
|
|
|
|
cond_syscall(sys_lchown16);
|
|
|
|
cond_syscall(sys_setfsgid16);
|
|
|
|
cond_syscall(sys_setfsuid16);
|
|
|
|
cond_syscall(sys_setgid16);
|
|
|
|
cond_syscall(sys_setgroups16);
|
|
|
|
cond_syscall(sys_setregid16);
|
|
|
|
cond_syscall(sys_setresgid16);
|
|
|
|
cond_syscall(sys_setresuid16);
|
|
|
|
cond_syscall(sys_setreuid16);
|
|
|
|
cond_syscall(sys_setuid16);
|
2014-06-05 06:11:12 +07:00
|
|
|
cond_syscall(sys_sgetmask);
|
|
|
|
cond_syscall(sys_ssetmask);
|
2006-01-08 16:05:26 +07:00
|
|
|
cond_syscall(sys_vm86old);
|
|
|
|
cond_syscall(sys_vm86);
|
2010-03-11 06:21:18 +07:00
|
|
|
cond_syscall(sys_ipc);
|
2006-02-21 09:28:08 +07:00
|
|
|
cond_syscall(compat_sys_ipc);
|
|
|
|
cond_syscall(compat_sys_sysctl);
|
2008-08-06 20:12:22 +07:00
|
|
|
cond_syscall(sys_flock);
|
2008-10-16 12:05:12 +07:00
|
|
|
cond_syscall(sys_io_setup);
|
|
|
|
cond_syscall(sys_io_destroy);
|
|
|
|
cond_syscall(sys_io_submit);
|
|
|
|
cond_syscall(sys_io_cancel);
|
|
|
|
cond_syscall(sys_io_getevents);
|
2014-04-04 04:48:25 +07:00
|
|
|
cond_syscall(sys_sysfs);
|
2009-01-14 20:13:58 +07:00
|
|
|
cond_syscall(sys_syslog);
|
2011-11-01 07:06:39 +07:00
|
|
|
cond_syscall(sys_process_vm_readv);
|
|
|
|
cond_syscall(sys_process_vm_writev);
|
|
|
|
cond_syscall(compat_sys_process_vm_readv);
|
|
|
|
cond_syscall(compat_sys_process_vm_writev);
|
2014-04-04 04:48:27 +07:00
|
|
|
cond_syscall(sys_uselib);
|
2014-08-18 07:41:09 +07:00
|
|
|
cond_syscall(sys_fadvise64);
|
|
|
|
cond_syscall(sys_fadvise64_64);
|
|
|
|
cond_syscall(sys_madvise);
|
2005-04-17 05:20:36 +07:00
|
|
|
|
|
|
|
/* arch-specific weak syscall entries */
|
|
|
|
cond_syscall(sys_pciconfig_read);
|
|
|
|
cond_syscall(sys_pciconfig_write);
|
|
|
|
cond_syscall(sys_pciconfig_iobase);
|
2013-01-22 11:15:25 +07:00
|
|
|
cond_syscall(compat_sys_s390_ipc);
|
2005-04-17 05:20:36 +07:00
|
|
|
cond_syscall(ppc_rtas);
|
2005-11-16 03:53:48 +07:00
|
|
|
cond_syscall(sys_spu_run);
|
|
|
|
cond_syscall(sys_spu_create);
|
[POWERPC] Provide a way to protect 4k subpages when using 64k pages
Using 64k pages on 64-bit PowerPC systems makes life difficult for
emulators that are trying to emulate an ISA, such as x86, which use a
smaller page size, since the emulator can no longer use the MMU and
the normal system calls for controlling page protections. Of course,
the emulator can emulate the MMU by checking and possibly remapping
the address for each memory access in software, but that is pretty
slow.
This provides a facility for such programs to control the access
permissions on individual 4k sub-pages of 64k pages. The idea is
that the emulator supplies an array of protection masks to apply to a
specified range of virtual addresses. These masks are applied at the
level where hardware PTEs are inserted into the hardware page table
based on the Linux PTEs, so the Linux PTEs are not affected. Note
that this new mechanism does not allow any access that would otherwise
be prohibited; it can only prohibit accesses that would otherwise be
allowed. This new facility is only available on 64-bit PowerPC and
only when the kernel is configured for 64k pages.
The masks are supplied using a new subpage_prot system call, which
takes a starting virtual address and length, and a pointer to an array
of protection masks in memory. The array has a 32-bit word per 64k
page to be protected; each 32-bit word consists of 16 2-bit fields,
for which 0 allows any access (that is otherwise allowed), 1 prevents
write accesses, and 2 or 3 prevent any access.
Implicit in this is that the regions of the address space that are
protected are switched to use 4k hardware pages rather than 64k
hardware pages (on machines with hardware 64k page support). In fact
the whole process is switched to use 4k hardware pages when the
subpage_prot system call is used, but this could be improved in future
to switch only the affected segments.
The subpage protection bits are stored in a 3 level tree akin to the
page table tree. The top level of this tree is stored in a structure
that is appended to the top level of the page table tree, i.e., the
pgd array. Since it will often only be 32-bit addresses (below 4GB)
that are protected, the pointers to the first four bottom level pages
are also stored in this structure (each bottom level page contains the
protection bits for 1GB of address space), so the protection bits for
addresses below 4GB can be accessed with one fewer loads than those
for higher addresses.
Signed-off-by: Paul Mackerras <paulus@samba.org>
2008-01-24 04:35:13 +07:00
|
|
|
cond_syscall(sys_subpage_prot);
|
2014-11-14 20:27:58 +07:00
|
|
|
cond_syscall(sys_s390_pci_mmio_read);
|
|
|
|
cond_syscall(sys_s390_pci_mmio_write);
|
2006-04-11 12:53:06 +07:00
|
|
|
|
|
|
|
/* mmu depending weak syscall entries */
|
|
|
|
cond_syscall(sys_mprotect);
|
|
|
|
cond_syscall(sys_msync);
|
|
|
|
cond_syscall(sys_mlock);
|
|
|
|
cond_syscall(sys_munlock);
|
|
|
|
cond_syscall(sys_mlockall);
|
|
|
|
cond_syscall(sys_munlockall);
|
|
|
|
cond_syscall(sys_mincore);
|
|
|
|
cond_syscall(sys_madvise);
|
|
|
|
cond_syscall(sys_mremap);
|
|
|
|
cond_syscall(sys_remap_file_pages);
|
2006-06-23 16:03:56 +07:00
|
|
|
cond_syscall(compat_sys_move_pages);
|
2006-11-03 13:07:24 +07:00
|
|
|
cond_syscall(compat_sys_migrate_pages);
|
[PATCH] BLOCK: Make it possible to disable the block layer [try #6]
Make it possible to disable the block layer. Not all embedded devices require
it, some can make do with just JFFS2, NFS, ramfs, etc - none of which require
the block layer to be present.
This patch does the following:
(*) Introduces CONFIG_BLOCK to disable the block layer, buffering and blockdev
support.
(*) Adds dependencies on CONFIG_BLOCK to any configuration item that controls
an item that uses the block layer. This includes:
(*) Block I/O tracing.
(*) Disk partition code.
(*) All filesystems that are block based, eg: Ext3, ReiserFS, ISOFS.
(*) The SCSI layer. As far as I can tell, even SCSI chardevs use the
block layer to do scheduling. Some drivers that use SCSI facilities -
such as USB storage - end up disabled indirectly from this.
(*) Various block-based device drivers, such as IDE and the old CDROM
drivers.
(*) MTD blockdev handling and FTL.
(*) JFFS - which uses set_bdev_super(), something it could avoid doing by
taking a leaf out of JFFS2's book.
(*) Makes most of the contents of linux/blkdev.h, linux/buffer_head.h and
linux/elevator.h contingent on CONFIG_BLOCK being set. sector_div() is,
however, still used in places, and so is still available.
(*) Also made contingent are the contents of linux/mpage.h, linux/genhd.h and
parts of linux/fs.h.
(*) Makes a number of files in fs/ contingent on CONFIG_BLOCK.
(*) Makes mm/bounce.c (bounce buffering) contingent on CONFIG_BLOCK.
(*) set_page_dirty() doesn't call __set_page_dirty_buffers() if CONFIG_BLOCK
is not enabled.
(*) fs/no-block.c is created to hold out-of-line stubs and things that are
required when CONFIG_BLOCK is not set:
(*) Default blockdev file operations (to give error ENODEV on opening).
(*) Makes some /proc changes:
(*) /proc/devices does not list any blockdevs.
(*) /proc/diskstats and /proc/partitions are contingent on CONFIG_BLOCK.
(*) Makes some compat ioctl handling contingent on CONFIG_BLOCK.
(*) If CONFIG_BLOCK is not defined, makes sys_quotactl() return -ENODEV if
given command other than Q_SYNC or if a special device is specified.
(*) In init/do_mounts.c, no reference is made to the blockdev routines if
CONFIG_BLOCK is not defined. This does not prohibit NFS roots or JFFS2.
(*) The bdflush, ioprio_set and ioprio_get syscalls can now be absent (return
error ENOSYS by way of cond_syscall if so).
(*) The seclvl_bd_claim() and seclvl_bd_release() security calls do nothing if
CONFIG_BLOCK is not set, since they can't then happen.
Signed-Off-By: David Howells <dhowells@redhat.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2006-10-01 01:45:40 +07:00
|
|
|
|
|
|
|
/* block-layer dependent */
|
|
|
|
cond_syscall(sys_bdflush);
|
|
|
|
cond_syscall(sys_ioprio_set);
|
|
|
|
cond_syscall(sys_ioprio_get);
|
signal/timer/event: signalfd core
This patch series implements the new signalfd() system call.
I took part of the original Linus code (and you know how badly it can be
broken :), and I added even more breakage ;) Signals are fetched from the same
signal queue used by the process, so signalfd will compete with standard
kernel delivery in dequeue_signal(). If you want to reliably fetch signals on
the signalfd file, you need to block them with sigprocmask(SIG_BLOCK). This
seems to be working fine on my Dual Opteron machine. I made a quick test
program for it:
http://www.xmailserver.org/signafd-test.c
The signalfd() system call implements signal delivery into a file descriptor
receiver. The signalfd file descriptor if created with the following API:
int signalfd(int ufd, const sigset_t *mask, size_t masksize);
The "ufd" parameter allows to change an existing signalfd sigmask, w/out going
to close/create cycle (Linus idea). Use "ufd" == -1 if you want a brand new
signalfd file.
The "mask" allows to specify the signal mask of signals that we are interested
in. The "masksize" parameter is the size of "mask".
The signalfd fd supports the poll(2) and read(2) system calls. The poll(2)
will return POLLIN when signals are available to be dequeued. As a direct
consequence of supporting the Linux poll subsystem, the signalfd fd can use
used together with epoll(2) too.
The read(2) system call will return a "struct signalfd_siginfo" structure in
the userspace supplied buffer. The return value is the number of bytes copied
in the supplied buffer, or -1 in case of error. The read(2) call can also
return 0, in case the sighand structure to which the signalfd was attached,
has been orphaned. The O_NONBLOCK flag is also supported, and read(2) will
return -EAGAIN in case no signal is available.
If the size of the buffer passed to read(2) is lower than sizeof(struct
signalfd_siginfo), -EINVAL is returned. A read from the signalfd can also
return -ERESTARTSYS in case a signal hits the process. The format of the
struct signalfd_siginfo is, and the valid fields depends of the (->code &
__SI_MASK) value, in the same way a struct siginfo would:
struct signalfd_siginfo {
__u32 signo; /* si_signo */
__s32 err; /* si_errno */
__s32 code; /* si_code */
__u32 pid; /* si_pid */
__u32 uid; /* si_uid */
__s32 fd; /* si_fd */
__u32 tid; /* si_fd */
__u32 band; /* si_band */
__u32 overrun; /* si_overrun */
__u32 trapno; /* si_trapno */
__s32 status; /* si_status */
__s32 svint; /* si_int */
__u64 svptr; /* si_ptr */
__u64 utime; /* si_utime */
__u64 stime; /* si_stime */
__u64 addr; /* si_addr */
};
[akpm@linux-foundation.org: fix signalfd_copyinfo() on i386]
Signed-off-by: Davide Libenzi <davidel@xmailserver.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2007-05-11 12:23:13 +07:00
|
|
|
|
|
|
|
/* New file descriptors */
|
|
|
|
cond_syscall(sys_signalfd);
|
flag parameters: signalfd
This patch adds the new signalfd4 syscall. It extends the old signalfd
syscall by one parameter which is meant to hold a flag value. In this
patch the only flag support is SFD_CLOEXEC which causes the close-on-exec
flag for the returned file descriptor to be set.
A new name SFD_CLOEXEC is introduced which in this implementation must
have the same value as O_CLOEXEC.
The following test must be adjusted for architectures other than x86 and
x86-64 and in case the syscall numbers changed.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#include <fcntl.h>
#include <signal.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/syscall.h>
#ifndef __NR_signalfd4
# ifdef __x86_64__
# define __NR_signalfd4 289
# elif defined __i386__
# define __NR_signalfd4 327
# else
# error "need __NR_signalfd4"
# endif
#endif
#define SFD_CLOEXEC O_CLOEXEC
int
main (void)
{
sigset_t ss;
sigemptyset (&ss);
sigaddset (&ss, SIGUSR1);
int fd = syscall (__NR_signalfd4, -1, &ss, 8, 0);
if (fd == -1)
{
puts ("signalfd4(0) failed");
return 1;
}
int coe = fcntl (fd, F_GETFD);
if (coe == -1)
{
puts ("fcntl failed");
return 1;
}
if (coe & FD_CLOEXEC)
{
puts ("signalfd4(0) set close-on-exec flag");
return 1;
}
close (fd);
fd = syscall (__NR_signalfd4, -1, &ss, 8, SFD_CLOEXEC);
if (fd == -1)
{
puts ("signalfd4(SFD_CLOEXEC) failed");
return 1;
}
coe = fcntl (fd, F_GETFD);
if (coe == -1)
{
puts ("fcntl failed");
return 1;
}
if ((coe & FD_CLOEXEC) == 0)
{
puts ("signalfd4(SFD_CLOEXEC) does not set close-on-exec flag");
return 1;
}
close (fd);
puts ("OK");
return 0;
}
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[akpm@linux-foundation.org: add sys_ni stub]
Signed-off-by: Ulrich Drepper <drepper@redhat.com>
Acked-by: Davide Libenzi <davidel@xmailserver.org>
Cc: Michael Kerrisk <mtk.manpages@googlemail.com>
Cc: <linux-arch@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2008-07-24 11:29:24 +07:00
|
|
|
cond_syscall(sys_signalfd4);
|
2007-05-13 00:37:02 +07:00
|
|
|
cond_syscall(compat_sys_signalfd);
|
2008-07-25 18:02:37 +07:00
|
|
|
cond_syscall(compat_sys_signalfd4);
|
timerfd: new timerfd API
This is the new timerfd API as it is implemented by the following patch:
int timerfd_create(int clockid, int flags);
int timerfd_settime(int ufd, int flags,
const struct itimerspec *utmr,
struct itimerspec *otmr);
int timerfd_gettime(int ufd, struct itimerspec *otmr);
The timerfd_create() API creates an un-programmed timerfd fd. The "clockid"
parameter can be either CLOCK_MONOTONIC or CLOCK_REALTIME.
The timerfd_settime() API give new settings by the timerfd fd, by optionally
retrieving the previous expiration time (in case the "otmr" parameter is not
NULL).
The time value specified in "utmr" is absolute, if the TFD_TIMER_ABSTIME bit
is set in the "flags" parameter. Otherwise it's a relative time.
The timerfd_gettime() API returns the next expiration time of the timer, or
{0, 0} if the timerfd has not been set yet.
Like the previous timerfd API implementation, read(2) and poll(2) are
supported (with the same interface). Here's a simple test program I used to
exercise the new timerfd APIs:
http://www.xmailserver.org/timerfd-test2.c
[akpm@linux-foundation.org: coding-style cleanups]
[akpm@linux-foundation.org: fix ia64 build]
[akpm@linux-foundation.org: fix m68k build]
[akpm@linux-foundation.org: fix mips build]
[akpm@linux-foundation.org: fix alpha, arm, blackfin, cris, m68k, s390, sparc and sparc64 builds]
[heiko.carstens@de.ibm.com: fix s390]
[akpm@linux-foundation.org: fix powerpc build]
[akpm@linux-foundation.org: fix sparc64 more]
Signed-off-by: Davide Libenzi <davidel@xmailserver.org>
Cc: Michael Kerrisk <mtk-manpages@gmx.net>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Davide Libenzi <davidel@xmailserver.org>
Cc: Michael Kerrisk <mtk-manpages@gmx.net>
Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Cc: Michael Kerrisk <mtk.manpages@gmail.com>
Cc: Davide Libenzi <davidel@xmailserver.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2008-02-05 13:27:26 +07:00
|
|
|
cond_syscall(sys_timerfd_create);
|
|
|
|
cond_syscall(sys_timerfd_settime);
|
|
|
|
cond_syscall(sys_timerfd_gettime);
|
|
|
|
cond_syscall(compat_sys_timerfd_settime);
|
|
|
|
cond_syscall(compat_sys_timerfd_gettime);
|
signal/timer/event: eventfd core
This is a very simple and light file descriptor, that can be used as event
wait/dispatch by userspace (both wait and dispatch) and by the kernel
(dispatch only). It can be used instead of pipe(2) in all cases where those
would simply be used to signal events. Their kernel overhead is much lower
than pipes, and they do not consume two fds. When used in the kernel, it can
offer an fd-bridge to enable, for example, functionalities like KAIO or
syslets/threadlets to signal to an fd the completion of certain operations.
But more in general, an eventfd can be used by the kernel to signal readiness,
in a POSIX poll/select way, of interfaces that would otherwise be incompatible
with it. The API is:
int eventfd(unsigned int count);
The eventfd API accepts an initial "count" parameter, and returns an eventfd
fd. It supports poll(2) (POLLIN, POLLOUT, POLLERR), read(2) and write(2).
The POLLIN flag is raised when the internal counter is greater than zero.
The POLLOUT flag is raised when at least a value of "1" can be written to the
internal counter.
The POLLERR flag is raised when an overflow in the counter value is detected.
The write(2) operation can never overflow the counter, since it blocks (unless
O_NONBLOCK is set, in which case -EAGAIN is returned).
But the eventfd_signal() function can do it, since it's supposed to not sleep
during its operation.
The read(2) function reads the __u64 counter value, and reset the internal
value to zero. If the value read is equal to (__u64) -1, an overflow happened
on the internal counter (due to 2^64 eventfd_signal() posts that has never
been retired - unlickely, but possible).
The write(2) call writes an __u64 count value, and adds it to the current
counter. The eventfd fd supports O_NONBLOCK also.
On the kernel side, we have:
struct file *eventfd_fget(int fd);
int eventfd_signal(struct file *file, unsigned int n);
The eventfd_fget() should be called to get a struct file* from an eventfd fd
(this is an fget() + check of f_op being an eventfd fops pointer).
The kernel can then call eventfd_signal() every time it wants to post an event
to userspace. The eventfd_signal() function can be called from any context.
An eventfd() simple test and bench is available here:
http://www.xmailserver.org/eventfd-bench.c
This is the eventfd-based version of pipetest-4 (pipe(2) based):
http://www.xmailserver.org/pipetest-4.c
Not that performance matters much in the eventfd case, but eventfd-bench
shows almost as double as performance than pipetest-4.
[akpm@linux-foundation.org: fix i386 build]
[akpm@linux-foundation.org: add sys_eventfd to sys_ni.c]
Signed-off-by: Davide Libenzi <davidel@xmailserver.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2007-05-11 12:23:19 +07:00
|
|
|
cond_syscall(sys_eventfd);
|
2008-07-24 11:29:25 +07:00
|
|
|
cond_syscall(sys_eventfd2);
|
shm: add memfd_create() syscall
memfd_create() is similar to mmap(MAP_ANON), but returns a file-descriptor
that you can pass to mmap(). It can support sealing and avoids any
connection to user-visible mount-points. Thus, it's not subject to quotas
on mounted file-systems, but can be used like malloc()'ed memory, but with
a file-descriptor to it.
memfd_create() returns the raw shmem file, so calls like ftruncate() can
be used to modify the underlying inode. Also calls like fstat() will
return proper information and mark the file as regular file. If you want
sealing, you can specify MFD_ALLOW_SEALING. Otherwise, sealing is not
supported (like on all other regular files).
Compared to O_TMPFILE, it does not require a tmpfs mount-point and is not
subject to a filesystem size limit. It is still properly accounted to
memcg limits, though, and to the same overcommit or no-overcommit
accounting as all user memory.
Signed-off-by: David Herrmann <dh.herrmann@gmail.com>
Acked-by: Hugh Dickins <hughd@google.com>
Cc: Michael Kerrisk <mtk.manpages@gmail.com>
Cc: Ryan Lortie <desrt@desrt.ca>
Cc: Lennart Poettering <lennart@poettering.net>
Cc: Daniel Mack <zonque@gmail.com>
Cc: Andy Lutomirski <luto@amacapital.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2014-08-09 04:25:29 +07:00
|
|
|
cond_syscall(sys_memfd_create);
|
2008-12-05 02:12:29 +07:00
|
|
|
|
|
|
|
/* performance counters: */
|
perf: Do the big rename: Performance Counters -> Performance Events
Bye-bye Performance Counters, welcome Performance Events!
In the past few months the perfcounters subsystem has grown out its
initial role of counting hardware events, and has become (and is
becoming) a much broader generic event enumeration, reporting, logging,
monitoring, analysis facility.
Naming its core object 'perf_counter' and naming the subsystem
'perfcounters' has become more and more of a misnomer. With pending
code like hw-breakpoints support the 'counter' name is less and
less appropriate.
All in one, we've decided to rename the subsystem to 'performance
events' and to propagate this rename through all fields, variables
and API names. (in an ABI compatible fashion)
The word 'event' is also a bit shorter than 'counter' - which makes
it slightly more convenient to write/handle as well.
Thanks goes to Stephane Eranian who first observed this misnomer and
suggested a rename.
User-space tooling and ABI compatibility is not affected - this patch
should be function-invariant. (Also, defconfigs were not touched to
keep the size down.)
This patch has been generated via the following script:
FILES=$(find * -type f | grep -vE 'oprofile|[^K]config')
sed -i \
-e 's/PERF_EVENT_/PERF_RECORD_/g' \
-e 's/PERF_COUNTER/PERF_EVENT/g' \
-e 's/perf_counter/perf_event/g' \
-e 's/nb_counters/nb_events/g' \
-e 's/swcounter/swevent/g' \
-e 's/tpcounter_event/tp_event/g' \
$FILES
for N in $(find . -name perf_counter.[ch]); do
M=$(echo $N | sed 's/perf_counter/perf_event/g')
mv $N $M
done
FILES=$(find . -name perf_event.*)
sed -i \
-e 's/COUNTER_MASK/REG_MASK/g' \
-e 's/COUNTER/EVENT/g' \
-e 's/\<event\>/event_id/g' \
-e 's/counter/event/g' \
-e 's/Counter/Event/g' \
$FILES
... to keep it as correct as possible. This script can also be
used by anyone who has pending perfcounters patches - it converts
a Linux kernel tree over to the new naming. We tried to time this
change to the point in time where the amount of pending patches
is the smallest: the end of the merge window.
Namespace clashes were fixed up in a preparatory patch - and some
stylistic fallout will be fixed up in a subsequent patch.
( NOTE: 'counters' are still the proper terminology when we deal
with hardware registers - and these sed scripts are a bit
over-eager in renaming them. I've undone some of that, but
in case there's something left where 'counter' would be
better than 'event' we can undo that on an individual basis
instead of touching an otherwise nicely automated patch. )
Suggested-by: Stephane Eranian <eranian@google.com>
Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
Acked-by: Paul Mackerras <paulus@samba.org>
Reviewed-by: Arjan van de Ven <arjan@linux.intel.com>
Cc: Mike Galbraith <efault@gmx.de>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Frederic Weisbecker <fweisbec@gmail.com>
Cc: Steven Rostedt <rostedt@goodmis.org>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Cc: David Howells <dhowells@redhat.com>
Cc: Kyle McMartin <kyle@mcmartin.ca>
Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: <linux-arch@vger.kernel.org>
LKML-Reference: <new-submission>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
2009-09-21 17:02:48 +07:00
|
|
|
cond_syscall(sys_perf_event_open);
|
2009-12-18 09:24:25 +07:00
|
|
|
|
|
|
|
/* fanotify! */
|
|
|
|
cond_syscall(sys_fanotify_init);
|
2009-12-18 09:24:26 +07:00
|
|
|
cond_syscall(sys_fanotify_mark);
|
2013-03-06 08:10:59 +07:00
|
|
|
cond_syscall(compat_sys_fanotify_mark);
|
2011-01-29 20:13:26 +07:00
|
|
|
|
|
|
|
/* open by handle */
|
|
|
|
cond_syscall(sys_name_to_handle_at);
|
2011-01-29 20:13:26 +07:00
|
|
|
cond_syscall(sys_open_by_handle_at);
|
|
|
|
cond_syscall(compat_sys_open_by_handle_at);
|
2012-06-01 06:26:44 +07:00
|
|
|
|
|
|
|
/* compare kernel pointers */
|
|
|
|
cond_syscall(sys_kcmp);
|
2014-06-26 06:08:24 +07:00
|
|
|
|
|
|
|
/* operate on Secure Computing state */
|
|
|
|
cond_syscall(sys_seccomp);
|
2014-09-26 14:16:58 +07:00
|
|
|
|
|
|
|
/* access BPF programs and maps */
|
|
|
|
cond_syscall(sys_bpf);
|
syscalls: implement execveat() system call
This patchset adds execveat(2) for x86, and is derived from Meredydd
Luff's patch from Sept 2012 (https://lkml.org/lkml/2012/9/11/528).
The primary aim of adding an execveat syscall is to allow an
implementation of fexecve(3) that does not rely on the /proc filesystem,
at least for executables (rather than scripts). The current glibc version
of fexecve(3) is implemented via /proc, which causes problems in sandboxed
or otherwise restricted environments.
Given the desire for a /proc-free fexecve() implementation, HPA suggested
(https://lkml.org/lkml/2006/7/11/556) that an execveat(2) syscall would be
an appropriate generalization.
Also, having a new syscall means that it can take a flags argument without
back-compatibility concerns. The current implementation just defines the
AT_EMPTY_PATH and AT_SYMLINK_NOFOLLOW flags, but other flags could be
added in future -- for example, flags for new namespaces (as suggested at
https://lkml.org/lkml/2006/7/11/474).
Related history:
- https://lkml.org/lkml/2006/12/27/123 is an example of someone
realizing that fexecve() is likely to fail in a chroot environment.
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=514043 covered
documenting the /proc requirement of fexecve(3) in its manpage, to
"prevent other people from wasting their time".
- https://bugzilla.redhat.com/show_bug.cgi?id=241609 described a
problem where a process that did setuid() could not fexecve()
because it no longer had access to /proc/self/fd; this has since
been fixed.
This patch (of 4):
Add a new execveat(2) system call. execveat() is to execve() as openat()
is to open(): it takes a file descriptor that refers to a directory, and
resolves the filename relative to that.
In addition, if the filename is empty and AT_EMPTY_PATH is specified,
execveat() executes the file to which the file descriptor refers. This
replicates the functionality of fexecve(), which is a system call in other
UNIXen, but in Linux glibc it depends on opening "/proc/self/fd/<fd>" (and
so relies on /proc being mounted).
The filename fed to the executed program as argv[0] (or the name of the
script fed to a script interpreter) will be of the form "/dev/fd/<fd>"
(for an empty filename) or "/dev/fd/<fd>/<filename>", effectively
reflecting how the executable was found. This does however mean that
execution of a script in a /proc-less environment won't work; also, script
execution via an O_CLOEXEC file descriptor fails (as the file will not be
accessible after exec).
Based on patches by Meredydd Luff.
Signed-off-by: David Drysdale <drysdale@google.com>
Cc: Meredydd Luff <meredydd@senatehouse.org>
Cc: Shuah Khan <shuah.kh@samsung.com>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Rich Felker <dalias@aerifal.cx>
Cc: Christoph Hellwig <hch@infradead.org>
Cc: Michael Kerrisk <mtk.manpages@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2014-12-13 07:57:29 +07:00
|
|
|
|
|
|
|
/* execveat */
|
|
|
|
cond_syscall(sys_execveat);
|